aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
diff options
context:
space:
mode:
Diffstat (limited to 'src/vnet/ipsec')
-rw-r--r--src/vnet/ipsec/ipsec.api40
-rw-r--r--src/vnet/ipsec/ipsec_api.c81
-rw-r--r--src/vnet/ipsec/ipsec_cli.c131
-rw-r--r--src/vnet/ipsec/ipsec_if.c59
-rw-r--r--src/vnet/ipsec/ipsec_if.h12
-rw-r--r--src/vnet/ipsec/ipsec_sa.c46
-rw-r--r--src/vnet/ipsec/ipsec_sa.h2
7 files changed, 0 insertions, 371 deletions
diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api
index 3a2c993f99c..bb9e8056251 100644
--- a/src/vnet/ipsec/ipsec.api
+++ b/src/vnet/ipsec/ipsec.api
@@ -305,27 +305,6 @@ define ipsec_sad_entry_add_del_reply
u32 stat_index;
};
-/** \brief IPsec: Update Security Association keys
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-
- @param sa_id - sa id
-
- @param crypto_key - crypto keying material
- @param integrity_key - integrity keying material
-*/
-
-autoreply define ipsec_sa_set_key
-{
- u32 client_index;
- u32 context;
-
- u32 sa_id;
-
- vl_api_key_t crypto_key;
- vl_api_key_t integrity_key;
-};
-
/** \brief IPsec: Get SPD interfaces
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
@@ -467,25 +446,6 @@ define ipsec_sa_details {
u64 total_data_size;
};
-/** \brief Set key on IPsec interface
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
- @param sw_if_index - index of tunnel interface
- @param key_type - type of key being set
- @param alg - algorithm used with key
- @param key_len - length key in bytes
- @param key - key
-*/
-autoreply define ipsec_tunnel_if_set_key {
- u32 client_index;
- u32 context;
- u32 sw_if_index;
- u8 key_type;
- u8 alg;
- u8 key_len;
- u8 key[128];
-};
-
/** \brief Set new SA on IPsec interface
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index 5683b6c1f25..2c7c0d9626d 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -53,13 +53,11 @@ _(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del) \
_(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \
_(IPSEC_SPD_ENTRY_ADD_DEL, ipsec_spd_entry_add_del) \
_(IPSEC_SAD_ENTRY_ADD_DEL, ipsec_sad_entry_add_del) \
-_(IPSEC_SA_SET_KEY, ipsec_sa_set_key) \
_(IPSEC_SA_DUMP, ipsec_sa_dump) \
_(IPSEC_SPDS_DUMP, ipsec_spds_dump) \
_(IPSEC_SPD_DUMP, ipsec_spd_dump) \
_(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \
_(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \
-_(IPSEC_TUNNEL_IF_SET_KEY, ipsec_tunnel_if_set_key) \
_(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa) \
_(IPSEC_SELECT_BACKEND, ipsec_select_backend) \
_(IPSEC_BACKEND_DUMP, ipsec_backend_dump)
@@ -592,29 +590,6 @@ vl_api_ipsec_spd_interface_dump_t_handler (vl_api_ipsec_spd_interface_dump_t *
}
static void
-vl_api_ipsec_sa_set_key_t_handler (vl_api_ipsec_sa_set_key_t * mp)
-{
- vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
- vl_api_ipsec_sa_set_key_reply_t *rmp;
- ipsec_key_t ck, ik;
- u32 id;
- int rv;
-#if WITH_LIBSSL > 0
-
- id = ntohl (mp->sa_id);
-
- ipsec_key_decode (&mp->crypto_key, &ck);
- ipsec_key_decode (&mp->integrity_key, &ik);
-
- rv = ipsec_set_sa_key (id, &ck, &ik);
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-
- REPLY_MACRO (VL_API_IPSEC_SA_SET_KEY_REPLY);
-}
-
-static void
vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
mp)
{
@@ -765,62 +740,6 @@ vl_api_ipsec_sa_dump_t_handler (vl_api_ipsec_sa_dump_t * mp)
#endif
}
-
-static void
-vl_api_ipsec_tunnel_if_set_key_t_handler (vl_api_ipsec_tunnel_if_set_key_t *
- mp)
-{
- vl_api_ipsec_tunnel_if_set_key_reply_t *rmp;
- ipsec_main_t *im = &ipsec_main;
- vnet_main_t *vnm = im->vnet_main;
- vnet_sw_interface_t *sw;
- u8 *key = 0;
- int rv;
-
-#if WITH_LIBSSL > 0
- sw = vnet_get_sw_interface (vnm, ntohl (mp->sw_if_index));
-
- switch (mp->key_type)
- {
- case IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO:
- case IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO:
- if (mp->alg < IPSEC_CRYPTO_ALG_AES_CBC_128 ||
- mp->alg >= IPSEC_CRYPTO_N_ALG)
- {
- rv = VNET_API_ERROR_INVALID_ALGORITHM;
- goto out;
- }
- break;
- case IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG:
- case IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG:
- if (mp->alg >= IPSEC_INTEG_N_ALG)
- {
- rv = VNET_API_ERROR_INVALID_ALGORITHM;
- goto out;
- }
- break;
- case IPSEC_IF_SET_KEY_TYPE_NONE:
- default:
- rv = VNET_API_ERROR_UNIMPLEMENTED;
- goto out;
- break;
- }
-
- key = vec_new (u8, mp->key_len);
- clib_memcpy (key, mp->key, mp->key_len);
-
- rv = ipsec_set_interface_key (vnm, sw->hw_if_index, mp->key_type, mp->alg,
- key);
- vec_free (key);
-#else
- clib_warning ("unimplemented");
-#endif
-
-out:
- REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_KEY_REPLY);
-}
-
-
static void
vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp)
{
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 36ea6145993..312289ae7d8 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -346,54 +346,6 @@ VLIB_CLI_COMMAND (ipsec_policy_add_del_command, static) = {
};
/* *INDENT-ON* */
-static clib_error_t *
-set_ipsec_sa_key_command_fn (vlib_main_t * vm,
- unformat_input_t * input,
- vlib_cli_command_t * cmd)
-{
- unformat_input_t _line_input, *line_input = &_line_input;
- ipsec_key_t ck = { }, ik =
- {
- };
- clib_error_t *error = NULL;
- u32 id;
-
- if (!unformat_user (input, unformat_line_input, line_input))
- return 0;
-
- while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (line_input, "%u", &id))
- ;
- else
- if (unformat (line_input, "crypto-key %U", unformat_ipsec_key, &ck))
- ;
- else if (unformat (line_input, "integ-key %U", unformat_ipsec_key, &ik))
- ;
- else
- {
- error = clib_error_return (0, "parse error: '%U'",
- format_unformat_error, line_input);
- goto done;
- }
- }
-
- ipsec_set_sa_key (id, &ck, &ik);
-
-done:
- unformat_free (line_input);
-
- return error;
-}
-
-/* *INDENT-OFF* */
-VLIB_CLI_COMMAND (set_ipsec_sa_key_command, static) = {
- .path = "set ipsec sa",
- .short_help = "set ipsec sa <id> crypto-key <key> integ-key <key>",
- .function = set_ipsec_sa_key_command_fn,
-};
-/* *INDENT-ON* */
-
static void
ipsec_sa_show_all (vlib_main_t * vm, ipsec_main_t * im)
{
@@ -869,89 +821,6 @@ VLIB_CLI_COMMAND (create_ipsec_tunnel_command, static) = {
};
/* *INDENT-ON* */
-static clib_error_t *
-set_interface_key_command_fn (vlib_main_t * vm,
- unformat_input_t * input,
- vlib_cli_command_t * cmd)
-{
- unformat_input_t _line_input, *line_input = &_line_input;
- ipsec_main_t *im = &ipsec_main;
- ipsec_if_set_key_type_t type = IPSEC_IF_SET_KEY_TYPE_NONE;
- u32 hw_if_index = (u32) ~ 0;
- u32 alg;
- u8 *key = 0;
- clib_error_t *error = NULL;
-
- if (!unformat_user (input, unformat_line_input, line_input))
- return 0;
-
- while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (line_input, "%U",
- unformat_vnet_hw_interface, im->vnet_main, &hw_if_index))
- ;
- else
- if (unformat
- (line_input, "local crypto %U", unformat_ipsec_crypto_alg, &alg))
- type = IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO;
- else
- if (unformat
- (line_input, "remote crypto %U", unformat_ipsec_crypto_alg, &alg))
- type = IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO;
- else
- if (unformat
- (line_input, "local integ %U", unformat_ipsec_integ_alg, &alg))
- type = IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG;
- else
- if (unformat
- (line_input, "remote integ %U", unformat_ipsec_integ_alg, &alg))
- type = IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG;
- else if (unformat (line_input, "%U", unformat_hex_string, &key))
- ;
- else
- {
- error = clib_error_return (0, "parse error: '%U'",
- format_unformat_error, line_input);
- goto done;
- }
- }
-
- if (type == IPSEC_IF_SET_KEY_TYPE_NONE)
- {
- error = clib_error_return (0, "unknown key type");
- goto done;
- }
-
- if (alg > 0 && vec_len (key) == 0)
- {
- error = clib_error_return (0, "key is not specified");
- goto done;
- }
-
- if (hw_if_index == (u32) ~ 0)
- {
- error = clib_error_return (0, "interface not specified");
- goto done;
- }
-
- ipsec_set_interface_key (im->vnet_main, hw_if_index, type, alg, key);
-
-done:
- vec_free (key);
- unformat_free (line_input);
-
- return error;
-}
-
-/* *INDENT-OFF* */
-VLIB_CLI_COMMAND (set_interface_key_command, static) = {
- .path = "set interface ipsec key",
- .short_help =
- "set interface ipsec key <int> <local|remote> <crypto|integ> <key type> <key>",
- .function = set_interface_key_command_fn,
-};
-/* *INDENT-ON* */
-
clib_error_t *
ipsec_cli_init (vlib_main_t * vm)
{
diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c
index 8e2b4b5be1b..8e0fba28bad 100644
--- a/src/vnet/ipsec/ipsec_if.c
+++ b/src/vnet/ipsec/ipsec_if.c
@@ -514,65 +514,6 @@ ipsec_add_del_ipsec_gre_tunnel (vnet_main_t * vnm,
}
int
-ipsec_set_interface_key (vnet_main_t * vnm, u32 hw_if_index,
- ipsec_if_set_key_type_t type, u8 alg, u8 * key)
-{
- vlib_main_t *vm = vlib_get_main ();
- ipsec_main_t *im = &ipsec_main;
- vnet_hw_interface_t *hi;
- ipsec_tunnel_if_t *t;
- ipsec_sa_t *sa;
-
- hi = vnet_get_hw_interface (vnm, hw_if_index);
- t = pool_elt_at_index (im->tunnel_interfaces, hi->dev_instance);
-
- if (hi->flags & VNET_HW_INTERFACE_FLAG_LINK_UP)
- return VNET_API_ERROR_SYSCALL_ERROR_1;
-
- if (type == IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO)
- {
- sa = pool_elt_at_index (im->sad, t->output_sa_index);
- ipsec_sa_set_crypto_alg (sa, alg);
- ipsec_mk_key (&sa->crypto_key, key, vec_len (key));
- sa->crypto_calg = im->crypto_algs[alg].alg;
- vnet_crypto_key_modify (vm, sa->crypto_key_index, sa->crypto_calg,
- key, vec_len (key));
- }
- else if (type == IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG)
- {
- sa = pool_elt_at_index (im->sad, t->output_sa_index);
- ipsec_sa_set_integ_alg (sa, alg);
- ipsec_mk_key (&sa->integ_key, key, vec_len (key));
- sa->integ_calg = im->integ_algs[alg].alg;
- vnet_crypto_key_modify (vm, sa->integ_key_index, sa->integ_calg,
- key, vec_len (key));
- }
- else if (type == IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO)
- {
- sa = pool_elt_at_index (im->sad, t->input_sa_index);
- ipsec_sa_set_crypto_alg (sa, alg);
- ipsec_mk_key (&sa->crypto_key, key, vec_len (key));
- sa->crypto_calg = im->crypto_algs[alg].alg;
- vnet_crypto_key_modify (vm, sa->crypto_key_index, sa->crypto_calg,
- key, vec_len (key));
- }
- else if (type == IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG)
- {
- sa = pool_elt_at_index (im->sad, t->input_sa_index);
- ipsec_sa_set_integ_alg (sa, alg);
- ipsec_mk_key (&sa->integ_key, key, vec_len (key));
- sa->integ_calg = im->integ_algs[alg].alg;
- vnet_crypto_key_modify (vm, sa->integ_key_index, sa->integ_calg,
- key, vec_len (key));
- }
- else
- return VNET_API_ERROR_INVALID_VALUE;
-
- return 0;
-}
-
-
-int
ipsec_set_interface_sa (vnet_main_t * vnm, u32 hw_if_index, u32 sa_id,
u8 is_outbound)
{
diff --git a/src/vnet/ipsec/ipsec_if.h b/src/vnet/ipsec/ipsec_if.h
index d1fa9bd4a91..40867108293 100644
--- a/src/vnet/ipsec/ipsec_if.h
+++ b/src/vnet/ipsec/ipsec_if.h
@@ -17,15 +17,6 @@
#include <vnet/ipsec/ipsec_sa.h>
-typedef enum
-{
- IPSEC_IF_SET_KEY_TYPE_NONE,
- IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO,
- IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO,
- IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG,
- IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG,
-} ipsec_if_set_key_type_t;
-
typedef struct
{
/* Required for pool_get_aligned */
@@ -111,9 +102,6 @@ extern int ipsec_add_del_ipsec_gre_tunnel (vnet_main_t * vnm,
ipsec_gre_tunnel_add_del_args_t *
args);
-extern int ipsec_set_interface_key (vnet_main_t * vnm, u32 hw_if_index,
- ipsec_if_set_key_type_t type,
- u8 alg, u8 * key);
extern int ipsec_set_interface_sa (vnet_main_t * vnm, u32 hw_if_index,
u32 sa_id, u8 is_outbound);
diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c
index 8e8546985ec..633f640ced2 100644
--- a/src/vnet/ipsec/ipsec_sa.c
+++ b/src/vnet/ipsec/ipsec_sa.c
@@ -341,52 +341,6 @@ ipsec_is_sa_used (u32 sa_index)
return 0;
}
-int
-ipsec_set_sa_key (u32 id, const ipsec_key_t * ck, const ipsec_key_t * ik)
-{
- vlib_main_t *vm = vlib_get_main ();
- ipsec_main_t *im = &ipsec_main;
- uword *p;
- u32 sa_index;
- ipsec_sa_t *sa = 0;
- clib_error_t *err;
-
- p = hash_get (im->sa_index_by_sa_id, id);
- if (!p)
- return VNET_API_ERROR_SYSCALL_ERROR_1; /* no such sa-id */
-
- sa_index = p[0];
- sa = pool_elt_at_index (im->sad, sa_index);
-
- /* new crypto key */
- if (ck)
- {
- clib_memcpy (&sa->crypto_key, ck, sizeof (sa->crypto_key));
- vnet_crypto_key_modify (vm, sa->crypto_key_index, sa->crypto_calg,
- (u8 *) ck->data, ck->len);
- }
-
- /* new integ key */
- if (ik)
- {
- clib_memcpy (&sa->integ_key, ik, sizeof (sa->integ_key));
- vnet_crypto_key_modify (vm, sa->integ_key_index, sa->integ_calg,
- (u8 *) ik->data, ik->len);
- }
-
- if (ck || ik)
- {
- err = ipsec_call_add_del_callbacks (im, sa, sa_index, 0);
- if (err)
- {
- clib_error_free (err);
- return VNET_API_ERROR_SYSCALL_ERROR_1;
- }
- }
-
- return 0;
-}
-
u32
ipsec_get_sa_index_by_sa_id (u32 sa_id)
{
diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h
index e09b5391df3..969b5d142ee 100644
--- a/src/vnet/ipsec/ipsec_sa.h
+++ b/src/vnet/ipsec/ipsec_sa.h
@@ -214,8 +214,6 @@ extern void ipsec_sa_set_integ_alg (ipsec_sa_t * sa,
ipsec_integ_alg_t integ_alg);
extern u8 ipsec_is_sa_used (u32 sa_index);
-extern int ipsec_set_sa_key (u32 id,
- const ipsec_key_t * ck, const ipsec_key_t * ik);
extern u32 ipsec_get_sa_index_by_sa_id (u32 sa_id);
typedef walk_rc_t (*ipsec_sa_walk_cb_t) (ipsec_sa_t * sa, void *ctx);